-- ================================================================= -- Copyright (C) 2001,2002 by HUAWEI 3COM TECHNOLOGIES. All rights reserved. -- -- Description: description of Port Security -- Reference: -- Version: V1.6 -- History: -- V1.0 2004-11-24, Created by lijian -- V1.1 2005-2-23, Modified by Zhangmin -- Add objects:h3cSecureRalmAuthDomain,h3cSecureRalmAuthOfflineTime -- h3cSecureRalmAuthServerTimeoutTime, -- h3cSecureRalmLoginFailure,h3cSecureRalmLogon -- h3cSecureRalmLogoff -- V1.2 2005-10-21, Modified the value range of 'h3cSecureRalmAuthPassword' -- from (0..16) to (0..63) by lijian -- V1.3 2006-01-21, Add TruthValue and h3cSecureAssignTable by wangyingxia -- V1.4 2006-02-24, Modified the description of h3cSecureBindingTable -- Modified the range of h3cSecureBindingIndex by xulei -- V1.5 2006-05-27, Add h3cSecureMacControl by ludi -- V1.6 2006-11-16, Add macAddressAndUserLoginSecure -- and macAddressAndUserLoginSecureExt for h3cSecurePortMode -- by huangyang -- ================================================================= A3COM-HUAWEI-PORT-SECURITY-MIB DEFINITIONS ::= BEGIN IMPORTS h3cPortSecurity FROM A3COM-HUAWEI-OID-MIB ifAdminStatus,ifIndex FROM RFC1213-MIB OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, Integer32, IpAddress FROM SNMPv2-SMI DisplayString, RowStatus, MacAddress, TruthValue FROM SNMPv2-TC dot1xAuthSessionUserName, dot1xAuthSessionAuthenticMethod, dot1xAuthSessionTerminateCause, dot1xPaePortNumber FROM IEEE8021-PAE-MIB ; h3cPortSecurityMIB MODULE-IDENTITY LAST-UPDATED "200411240000Z" ORGANIZATION "Huawei-3COM Technologies Co.,Ltd." CONTACT-INFO "R&D Beijing, Huawei-3COM Technologies Co.,Ltd. Huawei Bld.,NO.3 Xinxi Rd., Shang-Di Information Industry Base, Hai-Dian District Beijing P.R. China Zip:100085 Http://www.huawei-3com.com E-mail:support@huawei-3com.com " DESCRIPTION "The MIB module is used for managing port security." REVISION "200411240000Z" DESCRIPTION "The Initial Version of h3cPortSecurityMIB" ::= { h3cPortSecurity 1 } h3cPortSecurityLeaf OBJECT IDENTIFIER ::= { h3cPortSecurityMIB 1} -- -- SECURITY ACCESS CONTROL OBJECT -- h3cSecurePortSecurityControl OBJECT-TYPE SYNTAX INTEGER{enabled(1),disabled(2)} MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute controls the system wide operation of network access control. The configured port security options only become operational when this attribute is set to enabled." ::= { h3cPortSecurityLeaf 1} -- -- SECURITY TABLE 'VLAN membership list' OBJECT -- h3cSecurePortVlanMembershipList OBJECT-TYPE SYNTAX DisplayString(SIZE(0..255)) MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This is a dummy MIB object referenced by the h3csecureLogon and h3csecureLogoff traps. This object contains a comma separated list of the VLAN identifiers (0-4095) assigned to a port. A tagged VLAN has a 'T' suffix after the VLAN number and an untagged VLAN may have an optional 'U' suffix." ::= { h3cPortSecurityLeaf 2} -- -- RADIUS Authenticated Login using MAC-address GROUP -- h3cSecureRalmObjects OBJECT IDENTIFIER ::= { h3cPortSecurityLeaf 4 } h3cSecureRalmDefaultSessionTime OBJECT-TYPE SYNTAX INTEGER(1..1000000) MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the default session lifetime in seconds before a forwarding MAC address is re-authenticated. The default time is 1800 seconds." ::= { h3cSecureRalmObjects 1 } h3cSecureRalmHoldoffTime OBJECT-TYPE SYNTAX INTEGER(1..1000000) MAX-ACCESS read-write STATUS current DESCRIPTION "Specifies the time in seconds before a blocked (denied) MAC address can be re-authenticated. The default time is 60 seconds." ::= { h3cSecureRalmObjects 2 } h3cSecureRalmReauthenticate OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-write STATUS current DESCRIPTION "Writing a MAC address to this object causes an immediate RALM re-authentication of this address (can be on any port). If the MAC address not currently known to RALM, it silently ignores the write." ::= { h3cSecureRalmObjects 3 } h3cSecureRalmAuthMode OBJECT-TYPE SYNTAX INTEGER { papUsernameAsMacAddress(1), papUsernameFixed(2) } MAX-ACCESS read-write STATUS current DESCRIPTION "This controls how MAC addresses are authenticated. papUsernameAsMacAddress(1) Authentication uses the RADIUS server by sending a PAP request with Username and Password both equal to the MAC address being authenticated. This is the default. papUsernameFixed(2) Authentication uses the RADIUS server by sending a PAP request with Username and Password coming from the h3cSecureRalmAuthUsername and h3cSecureRalmAuthPassword MIB objects. In this mode the RADIUS server would normally take into account the request's calling-station-id attribute, which is the MAC address of the host being authenticated." ::= { h3cSecureRalmObjects 4 } h3cSecureRalmAuthUsername OBJECT-TYPE SYNTAX DisplayString(SIZE(1..80)) MAX-ACCESS read-write STATUS current DESCRIPTION "This is the username used for authentication requests where h3cSecureRalmAuthMode is papUsernameFixed. Default shall be 'mac'." ::= { h3cSecureRalmObjects 5 } h3cSecureRalmAuthPassword OBJECT-TYPE SYNTAX DisplayString(SIZE(0..63)) MAX-ACCESS read-write STATUS current DESCRIPTION "This is the password used for authentication requests where h3cSecureRalmAuthMode is papUsernameFixed. Default shall be a null string." ::= { h3cSecureRalmObjects 6 } h3cSecureRalmAuthDomain OBJECT-TYPE SYNTAX DisplayString(SIZE(1..24)) MAX-ACCESS read-write STATUS current DESCRIPTION "MAC-authentication users may be configured in a specific domain, which excludes 802.1x and other authentication users. This specifies the domain of all MAC-authentication users." ::= { h3cSecureRalmObjects 7} h3cSecureRalmAuthOfflineTime OBJECT-TYPE SYNTAX INTEGER(1..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "Switch isn't informed when online user is offline, so switch should be able to detect offline and inform radius server to stop accounting when there is no traffic of the user. This attribute configures the timer interval of offline-detect. The default time is 300 seconds." DEFVAL { 300 } ::= { h3cSecureRalmObjects 8} h3cSecureRalmAuthServerTimeoutTime OBJECT-TYPE SYNTAX INTEGER(1..65535) MAX-ACCESS read-write STATUS current DESCRIPTION "When switch sends request packets (include connecting request and offline request, etc) to radius server and there is no response, switch will terminate the authentication process. This attribute configures the timer interval of server-timeout. The default time is 100 seconds." DEFVAL { 100 } ::= { h3cSecureRalmObjects 9} h3cSecureMacControl OBJECT-TYPE SYNTAX INTEGER{enabled(1),disabled(2)} MAX-ACCESS read-write STATUS current DESCRIPTION "This attribute controls the system wide operation of mac-authentication. The system-wide mac-authentication options become non-operational when this attribute is set to disabled. This is required for h3cSecurePortSecurityControl to be enabled." ::= { h3cSecureRalmObjects 10 } h3cPortSecurityTables OBJECT IDENTIFIER ::= { h3cPortSecurityMIB 2} h3cSecurePortTable OBJECT-TYPE SYNTAX SEQUENCE OF H3cSecurePortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table defines the security status of each secure port. Each port can have a number of authorised MAC addresses, and these are stored in the h3cSecureAddressTable." ::= { h3cPortSecurityTables 1} h3cSecurePortEntry OBJECT-TYPE SYNTAX H3cSecurePortEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "There is a row in this table for each secure port, and allows repeater ports to be configured for security on a per port basis. It is indexed using the object ifIndex in RFC1213-MIB." INDEX { ifIndex } ::= { h3cSecurePortTable 1} H3cSecurePortEntry ::= SEQUENCE { h3cSecurePortMode INTEGER, h3cSecureNeedToKnowMode INTEGER, h3cSecureIntrusionAction INTEGER, h3cSecureNumberAddresses Integer32, h3cSecureNumberAddressesStored Integer32, h3cSecureMaximumAddresses Integer32 } h3cSecurePortMode OBJECT-TYPE SYNTAX INTEGER { noRestrictions(1), continuousLearning(2), autoLearn(3), secure(4), userLogin(5), userLoginSecure(6), userLoginWithOUI(7), macAddressWithRadius(8), macAddressOrUserLoginSecure(9), macAddressElseUserLoginSecure(10), userLoginSecureExt(11), macAddressOrUserLoginSecureExt(12), macAddressElseUserLoginSecureExt(13), macAddressAndUserLoginSecure(14), macAddressAndUserLoginSecureExt(15) } MAX-ACCESS read-write STATUS current DESCRIPTION "Determines the learning and security modes of the port. See h3cSecureNeedToKnowMode and h3cSecureIntrusionAction to configure Need To Know and Intrusion Action on each port. (When in a learning mode, h3cSecureNumberAddresses determines the maximum number of addresses that can be learned on the port. This is set by the user.) noRestrictions(1) All of the security features are disabled. continuousLearning(2) Addresses are learned continually. If more addresses are learned than are permitted on the port, then one of the older entries will be aged out. Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction respectively. autoLearn(3) All addresses for this port are deleted, and then addresses are learned up to the number permitted. h3cSecurePortMode is then set to secure. Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction respectively. secure(4) Learning is disabled. Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction respectively. userLogin(5) Access to the port is denied until the port client is authorised (by 802.1X or other authentication mechanism). Once authorised, traffic will be accepted from any MAC address. The Need To Know and Intrusion Action are ignored. userLoginSecure(6) Access to the port is denied until the port client is authorised (by 802.1X or other authentication mechanism). When the client is authorised, the MAC address is added to the Secure Address Table. The h3cSecureMaximumAddresses is set to one automatically when this mode is entered. Any existing MAC addresses in the Secure Address Table are deleted. Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction respectively. Learning is disabled. userLoginWithOUI(7) This mode is similar to the userLoginSecure mode except that a second MAC address may be placed in the Secure Address Table. This second address is authorised based on the MAC address OUI value. If a new device with an authorised OUI value is discovered, the previous entry is deleted. Traffic from the OUI authorised device will be accepted even if the user has not been authenticated. Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction respectively. macAddressWithRadius(8) This selects the RADIUS Authenticated Login using MAC-address (RALM) security mode on the port. This feature controls network access of a host based on authenticating its MAC address. Once authorised, the host is allowed access to the network. If unauthorised, the port can be configured to deny access to this MAC address or to allow some access depending upon the port VLAN and QoS configuration. Where access is allowed, the MAC address is added to the Secure Address Table. macAddressOrUserLoginSecure(9) This selects both the macAddressWithRadius and userLoginSecure modes together such that either or both are allowed to authorised access. Where both authorised access, userLoginSecure takes precedence. macAddressElseUserLoginSecure(10) This selects both the macAddressWithRadius and userLoginSecure modes together such that the MAC address is first authenticated and only if this fails does the userLoginSecure then attempt user authentication. userLoginSecureExt(11) Access to the port is denied until the port client is authorised (by 802.1X or other authentication mechanism). When the client is authorised, the MAC address is added to the Secure Address Table. The h3cSecureNumberAddresses is restricted by the value of h3cSecureMaximumAddresses automatically when this mode is entered. Any existing MAC addresses in the Secure Address Table are deleted. Need To Know and Intrusion Action depends on h3cSecureNeedToKnowMode and h3cSecureIntrusionAction respectively. Learning is disabled. macAddressOrUserLoginSecureExt(12) This selects both the macAddressWithRadius and userLoginSecureExt modes together such that either or both are allowed to authorised access. Where both authorised access, userLoginSecure takes precedence. macAddressElseUserLoginSecureExt(13) This selects both the macAddressWithRadius and userLoginSecureExt modes together such that the MAC address is first authenticated and only if this fails does the userLoginSecure then attempt user authentication. macAddressAndUserLoginSecure(14) This selects both the macAddressWithRadius and userLoginSecure modes together such that the MAC address is first authenticated and only if this succeeds does the userLoginSecure then attempt user authentication. macAddressAndUserLoginSecureExt(15) This selects both the macAddressWithRadius and userLoginSecureExt modes together such that the MAC address is first authenticated and only if this succeeds does the userLoginSecure then attempt user authentication. " ::= { h3cSecurePortEntry 1} h3cSecureNeedToKnowMode OBJECT-TYPE SYNTAX INTEGER { notAvailable(1), disabled(2), needToKnowOnly(3), needToKnowWithBroadcastsAllowed(4), needToKnowWithMulticastsAllowed(5), permanentNeedToKnowOnly(6), permanentNeedToKnowWithBroadcastsAllowed(7), permanentNeedToKnowWithMulticastsAllowed(8) } MAX-ACCESS read-write STATUS current DESCRIPTION "Attribute to determine which frames are to be forwarded to this port intact. 1 - Need To Know is not available. 2 - All frames. 3 - Frames addressed to the authorised devices only. 4 - Frames addressed to the authorised devices, plus all broadcast frames. 5 - Frames addressed to the authorised devices, plus all broadcast and multicast frames. 6 - As 3 and cannot be changed. 7 - As 4 and cannot be changed. 8 - As 5 and cannot be changed. If this object returns 1,6,7 or 8, it means that the Need To Know configuration cannot be changed, and any attempt to write to this object will cause an error." ::= { h3cSecurePortEntry 2} h3cSecureIntrusionAction OBJECT-TYPE SYNTAX INTEGER { notAvailable(1), noAction(2), disablePort(3), disablePortTemporarily(4), allowDefaultAccess(5), blockMacAddress(6) } MAX-ACCESS read-write STATUS current DESCRIPTION "Attribute to determine the action if an unauthorised device transmits on this port." ::= { h3cSecurePortEntry 3} -- -- The following 3 objects are used to allow multiple MAC addresses to be -- assigned to the port. h3cSecureNumberAddresses OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum number of addresses that the port can learn or store. Reducing this number may cause some addresses to be deleted. This value is set by the user and cannot be automatically changed by the agent. The maximum number will not include and limit the number of static mac addresses that configured by manager. The following relationship must be preserved. h3cSecureNumberAddressesStored <= h3cSecureNumberAddresses <= h3cSecureMaximumAddresses " ::= { h3cSecurePortEntry 4} h3cSecureNumberAddressesStored OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of addresses that are currently in the AddressTable for this port. If this object has the same value as h3cSecureNumberAddresses, then no more addresses can be authorised on this port. The number will not include and limit the number of static mac addresses that configured by manager. Those objects are bound by the relationship: h3cSecureNumberAddressesStored <= h3cSecureNumberAddresses <= h3cSecureMaximumAddresses " ::= { h3cSecurePortEntry 5} h3cSecureMaximumAddresses OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "This indicates the maximum value that h3cSecureNumberAddresses can be set to. It is dependent on the resources available so may change, eg. if resources are shared between ports, then this value can both increase and decrease. This object must be read before setting h3cSecureNumberAddresses. Those objects are bound by the relationship: h3cSecureNumberAddressesStored <= h3cSecureNumberAddresses <= h3cSecureMaximumAddresses " ::= { h3cSecurePortEntry 6} -- -- SECURE ADDRESS TABLE -- h3cSecureAddressTable OBJECT-TYPE SYNTAX SEQUENCE OF H3cSecureAddressEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table stores the MAC addresses assigned to each port. This table can be written to by the agent as well as the management station." ::= { h3cPortSecurityTables 2} h3cSecureAddressEntry OBJECT-TYPE SYNTAX H3cSecureAddressEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table allows multiple addresses to be assigned to each secure port. It is indexed using the objects ifIndex, h3cSecureAddrMAC and h3cSecureVlanID." INDEX { ifIndex, h3cSecureAddrMAC, h3cSecureAddrVlanID } ::= { h3cSecureAddressTable 1} H3cSecureAddressEntry ::= SEQUENCE { h3cSecureAddrMAC MacAddress, h3cSecureAddrVlanID Integer32, h3cSecureAddrMACStatus INTEGER, h3cSecureAddrRowStatus RowStatus } h3cSecureAddrMAC OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "The MAC address of a station assigned to this port. This is the second index into the h3cSecureAddressTable." ::= { h3cSecureAddressEntry 1} h3cSecureAddrVlanID OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "The Vlan ID associate with the port and the MAC address. This is the third index into the h3cSecureAddressTable." ::= { h3cSecureAddressEntry 2} h3cSecureAddrMACStatus OBJECT-TYPE SYNTAX INTEGER { addressBlackhole(1), addressUserConfig(2), addressDot1xAuth(3), addressRALM(4) } MAX-ACCESS read-create STATUS current DESCRIPTION "The state of the mac address assigned to this port. addressBlackhole (1) the mac address is a blackhole address, Each packet whose source address is equal to this address will be dropped by the agent. addressUserConfig (2) the mac address configed by user with this state are preserved across power cycles and resets. addressDot1xAuth (3) the mac address is authorized by 802.1x authenticator, User can not configure this mac address. This value is used for GET and GETNEXT operation. addressRALM (4) the mac address is authorized by RALM authenticator, User can not configure this mac address. This value is used for GET and GETNEXT operation. " ::= { h3cSecureAddressEntry 3} h3cSecureAddrRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This manages the creation and deletion or rows, and shows the current status of the indexed MAC address. This object has the following values. active(1) The indexed MAC address is authorised on this port. notInService(2) Not Supported. notReady(3) Not Supported. createAndGo(4) Assign a new MAC address to the port and authorise immediately. createAndWait(5) Not Supported. destroy(6) Delete this entry. When creating a new entry, index a new row and use createAndGo(4). When reading this object, only active(1) will be returned. " ::= { h3cSecureAddressEntry 4} -- -- SECURE OUI TABLE -- h3cSecureOUITable OBJECT-TYPE SYNTAX SEQUENCE OF H3cSecureOUIEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table stores the OUI values for OUI based authentication." ::= { h3cPortSecurityTables 3} h3cSecureOUIEntry OBJECT-TYPE SYNTAX H3cSecureOUIEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This is a row in the h3cSecureOUITable." INDEX { h3cSecureOUIIndex } ::= { h3cSecureOUITable 1} H3cSecureOUIEntry ::= SEQUENCE { h3cSecureOUIIndex INTEGER, h3cSecureOUI OCTET STRING, h3cSecureOUIRowStatus RowStatus } h3cSecureOUIIndex OBJECT-TYPE SYNTAX INTEGER(1..1024) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index number. This is the first index into the h3cSecureOUITable." ::= { h3cSecureOUIEntry 1} h3cSecureOUI OBJECT-TYPE SYNTAX OCTET STRING(SIZE(3)) MAX-ACCESS read-create STATUS current DESCRIPTION "The OUI value for an authorised device." ::= { h3cSecureOUIEntry 2} h3cSecureOUIRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This manages the creation and deletion of rows, and shows the current status of the entry. active(1) The indexed OUI value is authorised. notInService(2) Not Supported. notReady(3) Not Supported. createAndGo(4) Assign a new OUI to the unit and authorise immediately. createAndWait(5) Not Supported. destroy(6) Delete this entry. When creating a new entry, index a new row and use createAndGo(4) . When reading this object, only active(1) will be returned. " ::= { h3cSecureOUIEntry 3} -- -- IP+MAC+PORT BINDING TABLE -- h3cSecureBindingTable OBJECT-TYPE SYNTAX SEQUENCE OF H3cSecureBindingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table stores the elements of binding rules include the MAC addresses, the IP address and the port. Only the frame exactly matching the binding rules can be forwarded. This table can be written to by the agent as well as the management station." ::= { h3cPortSecurityTables 4} h3cSecureBindingEntry OBJECT-TYPE SYNTAX H3cSecureBindingEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table allows multiple binding rules. It is indexed using the object h3cSecureBindingIndex." INDEX { h3cSecureBindingIndex } ::= { h3cSecureBindingTable 1} H3cSecureBindingEntry ::= SEQUENCE { h3cSecureBindingIndex Integer32, h3cSecureBindingPort Integer32, h3cSecureBindingAddrMAC MacAddress, h3cSecureBindingAddrIp IpAddress, h3cSecureBindingRowStatus RowStatus } h3cSecureBindingIndex OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "The index number. This is the first index into the h3cSecureBindingTable." ::= { h3cSecureBindingEntry 1} h3cSecureBindingPort OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "The port number of the port bound with the IP address and the MAC address." ::= { h3cSecureBindingEntry 2} h3cSecureBindingAddrMAC OBJECT-TYPE SYNTAX MacAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The MAC address bound with the port and the IP address." ::= { h3cSecureBindingEntry 3} h3cSecureBindingAddrIp OBJECT-TYPE SYNTAX IpAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The IP address bound with the port and the MAC address." ::= { h3cSecureBindingEntry 4} h3cSecureBindingRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This manages the creation and deletion or rows, and shows status of the entry. This object has the following values. active(1) The indexed MAC address is authorised on this port. notInService(2) Not Supported. notReady(3) Not Supported. createAndGo(4) Assign a new MAC address to the port and authorise immediately. createAndWait(5) Not Supported. destroy(6) Delete this entry. When creating a new entry, index a new row and use createAndGo(4). When reading this object, only active(1) will be returned. " ::= { h3cSecureBindingEntry 5} -- -- PORT ASSIGN TABLE -- h3cSecureAssignTable OBJECT-TYPE SYNTAX SEQUENCE OF H3cSecureAssignEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of port assignment management information about authorised user." ::= { h3cPortSecurityTables 5} h3cSecureAssignEntry OBJECT-TYPE SYNTAX H3cSecureAssignEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry (conceptual row) representing information about port assignment about authorised user." INDEX { ifIndex } ::= { h3cSecureAssignTable 1} H3cSecureAssignEntry ::= SEQUENCE { h3cSecureAssignEnable TruthValue, h3cSecureVlanAssignment OCTET STRING } h3cSecureAssignEnable OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "The user-based port configuration control. Setting this attribute TRUE causes the port to be configured with any configuration parameters supplied by the authentication server. Setting this attribute to FALSE causes any configuration parameters supplied by the authentication server to be ignored." DEFVAL {true} ::= { h3cSecureAssignEntry 1 } h3cSecureVlanAssignment OBJECT-TYPE SYNTAX OCTET STRING(SIZE(0..255)) MAX-ACCESS read-only STATUS current DESCRIPTION "The VLAN membership assigned to the port for the authorised user. This contains the actual value received from the authentication server. This object will contain a null value if there is no user authorised to access the port or if the authorised user was not assigned a VLAN membership." ::= { h3cSecureAssignEntry 2 } -- ********************************************************************** -- Define enterprise repeater traps. Rules for traps are that any -- varbind must be from a table in which the first qualifier on the -- object id is the service identifier of the 'thing' causing the trap. -- ********************************************************************** h3cPortSecurityNotifications OBJECT IDENTIFIER ::= { h3cPortSecurityMIB 3} h3cSecureAddressLearned NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC } STATUS current DESCRIPTION "This trap is sent when a new station has been learned. The port on which the address was received is the first object, and the MAC address of the learned station is in the second object." ::= { h3cPortSecurityNotifications 1} h3cSecureViolation NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, ifAdminStatus } STATUS current DESCRIPTION "This trap is sent whenever a security violation has occurred. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. ifAdminStatus indicates if the port has been disabled because of the violation. The implementation may not send violation traps from the same port at intervals of less than 5 seconds." ::= { h3cPortSecurityNotifications 2} h3cSecureLoginFailure NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, dot1xAuthSessionUserName } STATUS current DESCRIPTION "This trap is sent whenever a user network access authentication has failed. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. The dot1xAuthSessionUserName is the identity supplied during the user authentication." ::= { h3cPortSecurityNotifications 3} h3cSecureLogon NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, dot1xAuthSessionUserName, dot1xAuthSessionAuthenticMethod, h3cSecurePortVlanMembershipList } STATUS current DESCRIPTION "This trap is sent when a new session is started for an authorised port user. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. The dot1xAuthSessionUserName is the identity supplied during the user authentication. The dot1xAuthSessionAuthenticMethod indicates how the user was authorised. The h3cSecurePortVlanMembershipList object identifies the VLAN membership assigned to the port on session activation." ::= { h3cPortSecurityNotifications 4} h3cSecureLogoff NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, dot1xAuthSessionUserName, dot1xAuthSessionTerminateCause, h3cSecurePortVlanMembershipList } STATUS current DESCRIPTION "This trap is sent when a user session is terminated. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. The dot1xAuthSessionUserName is the identity supplied during the user authentication. The dot1xAuthSessionTerminateCause indicates the reason why the session was terminated. The h3cSecurePortVlanMembershipList object identifies the VLAN membership assigned to the port on session termination." ::= { h3cPortSecurityNotifications 5} h3cSecureRalmLoginFailure NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, h3cSecureRalmAuthMode, h3cSecureRalmAuthUsername } STATUS current DESCRIPTION "This trap is sent whenever a user network access authentication has failed. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. The authentication mode indicates how the user was authorised. The h3cSecureRalmAuthUsername is the identity supplied during the user authentication." ::= { h3cPortSecurityNotifications 6} h3cSecureRalmLogon NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, h3cSecureRalmAuthMode, h3cSecureRalmAuthUsername, h3cSecurePortVlanMembershipList } STATUS current DESCRIPTION "This trap is sent when a new session is started for an authorised port user. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. The authentication mode indicates how the user was authorised. The h3cSecureRalmAuthUsername is the identity supplied during the user authentication. The h3cSecurePortVlanMembershipList object identifies the VLAN membership assigned to the port on session activation." ::= { h3cPortSecurityNotifications 7} h3cSecureRalmLogoff NOTIFICATION-TYPE OBJECTS { ifIndex, h3cSecureAddrMAC, h3cSecureRalmAuthMode, h3cSecureRalmAuthUsername, h3cSecurePortVlanMembershipList } STATUS current DESCRIPTION "This trap is sent when a new session is started for an authorised port user. The port on which the violation occured is the first object, and the MAC address of the offending station is in the second object. The authentication mode indicates how the user was authorised. The h3cSecureRalmAuthUsername is the identity supplied during the user authentication. The h3cSecurePortVlanMembershipList object identifies the VLAN membership assigned to the port on session activation." ::= { h3cPortSecurityNotifications 8} END